CVE-2018-7448
published 2018-02-26CVE-2018-7448: Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code…
PriorityP258high7.5CVSS 3.0
AVNACHPRLUINSUCHIHAH
EXPLOIT
EPSS
13.25%
95.9th percentile
Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code via the "timezone" parameter in step 4 of a fresh installation procedure.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cmsmadesimple | cms_made_simple | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to the installer path containing 'mdf68c24c=4' query parameter, which indicates step 4 of the CMS Made Simple installation — the stage where the timezone injection occurs. ↗
- →Detect PHP code injection patterns in the 'timezone' POST parameter, specifically sequences containing single-quote breaks followed by PHP function calls such as system(), echo, or $_GET references. ↗
- →Alert on GET requests to config.php with a 'cmd' parameter, which indicates post-exploitation webshell access via the backdoored configuration file. ↗
- →Flag any web-accessible cmsms-2.1.6-install.php file that remains present after installation; its continued accessibility is a prerequisite for exploitation. ↗
- →Watch for filesystem permission changes to 777 on the web root or config.php, as the installer forces write permissions that enable the injection. ↗
- ·Exploitation requires a fresh (not yet completed) installation and valid database credentials; the vulnerability is not exploitable on already-installed instances unless the installer file is left accessible. ↗
- ·The injected payload persists in config.php on disk; remediation requires removing or sanitizing config.php in addition to patching, as the backdoor survives the installation process. ↗
- ·The vulnerability was fixed in version 2.2; any instance still running 2.1.6 with the installer file present is fully exploitable. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://dev.cmsmadesimple.org/project/changelog/5471https://packetstormsecurity.com/files/146568/CMS-Made-Simple-2.1.6-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/44192/http://dev.cmsmadesimple.org/project/changelog/5471https://packetstormsecurity.com/files/146568/CMS-Made-Simple-2.1.6-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/44192/
2018-02-26
Published